Windows Account Integration

MDaemon supports Windows Account integration. This support consists of a SAM/Active Directory import engine, which can be reached from MDaemon's Accounts menu (Accounts » Importing... » Import accounts from SAM/Active directory...). Additionally, support for Active Directory (AD) authentication of users is embedded into the MDaemon user management code. It is possible to specify a Windows domain in an account’s password field and then MDaemon will dynamically authenticate such accounts in real-time, using the specified Windows domain’s security system. Under such a scheme, changing the account’s password in Windows user management will automatically update MDaemon. Therefore, your users will only have to remember one set of authentication credentials. This also makes for very easy account setup for new installations.

The security context of the account running MDaemon must have the SE_TCB_NAME privilege (i.e. “To act as part of the Operating System”). If the process is a service running in the Local System account, it will have this privilege by default. Otherwise, it must be set in the Windows user manager for the account under which MDaemon is running.

SAM/Active Directory Account Importer

Domains

PDC/BDC Machine name

This field allows you to specify the machine name from which MDaemon will read Windows account database information. You can specify \\<DEFAULT> and MDaemon will read data from the local machine.

Refresh

Click this button to refresh the Windows Accounts listing.

Windows domain name

Type the Windows domain name from which you wish to import accounts.

MDaemon domain name

Choose from the drop-down list box the MDaemon domain into which the accounts will be imported.

Accounts

Windows accounts

This window contains a list of all the account names collected from the Windows account database.

Selected accounts

This window contains all the account names that you have selected and wish to import.

>>

Click this button to move the highlighted account names from the "Windows Accounts" window into the "Selected Accounts" window.

<<

Click this button to remove the highlighted entries from the "Selected Accounts" window.

Options

Make account mailboxes equal to the SAM/AD account name

Click this switch to force each imported user's Windows account name to be used as their Mailbox value. With this method, you will not need to worry about setting up the correct New Account Template macros.

Use the account template to generate passwords

This option causes MDaemon to generate passwords for imported accounts using the account template settings (see Account Defaults).

Set account passwords equal to account names

This switch causes MDaemon to use the account name as the account password.

Make every password equal to…

This switch allows you to specify a static password value that will be used by all imported accounts.

Authenticate passwords dynamically using SAM/AD

This switch enables AD authentication of imported accounts. Rather than specifying a password MDaemon will simply authenticate the mail client supplied USER and PASS values using the NT database in real-time.

Authenticate on this Windows domain

Enter the name of the Windows domain that MDaemon will use when authenticating connections dynamically. This is not the machine name of the domain controller. It is the actual name of the Windows Domain.

When accounts are configured for AD authentication, the name of the Windows domain preceded by two backslash characters is used in the account's PASSWORD field and is stored unencrypted within the USERLIST.DAT file. For example, if an account is configured for AD authentication on a Windows domain called ALTN, the account's password field will contain the value \\ALTN. The two backslash characters preceding the domain name signify to MDaemon that the password field actually contains the name of a Windows domain and that MDaemon should attempt to authenticate the USER and PASS values provided by the mail client using that domain's account database. For that reason you must not start a password with two backslash characters unless the account is configured for AD authentication as described above. In other words, you can't just have regular passwords that start with two backslashes. Passwords beginning with two backslashes are always assumed to be providing a Windows domain name and not a password.

You may enter the two backslashes and Windows domain name combination into an account's password field on the Account Details screen of the Account Editor. You need not restrict yourself to using the importer in order to setup accounts for AD authentication.

See: